Page 1 of 3 123 LastLast
Results 1 to 15 of 33
  1. #1
    Join Date
    May 2007
    Location
    Chester, UK
    Posts
    271

    Exclamation Latest Zamfoo version sends your ROOT PASSWORD by e-mail back to them!

    From a thread I've just seen over at DigitalPoint:

    http://forums.digitalpoint.com/showthread.php?t=1392703


    First of all, What I am going to disclose here is not a fake statement.
    I am also the user of Zamfoo and like this script spacially support of Zamfoo.
    But I found that every time when you run zamfoo upgrade, Zamfoo decode the server root password and send that password to support@zamfoo.com.
    See below email,

    Code:
    version 3.1 license: xxxxxxxxxxxxxxx
    
     debugger: Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
    
     Platform:
    
       osname=linux, osvers=2.6.18-128.1.1.el5.028stab062.3, archname=i686-linux
    
       uname='linux Serverhost name 2.6.18-128.1.1.el5.028stab062.3 #1 smp sun may 10 18:54:51 msd 2009 i686 i686 i386 gnulinux '
    
       config_args='-ds -e -Dprefix=/usr/local -Doptimize=-Os -Duseshrplib -Dusemymalloc=y'
    
       hint=recommended, useposix=true, d_sigaction=define
    
       usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    
       useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    
       use64bitint=undef use64bitall=undef uselongdouble=undef
    
       usemymalloc=y, bincompat5005=undef
    
     Compiler:
    
       cc='cc', ccflags ='-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    
       optimize='-Os',
    
       cppflags='-fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -I/usr/include/gdbm'
    
       ccversion='', gccversion='4.1.2 20080704 (Red Hat 4.1.2-44)', gccosandvers=''
    
       intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    
       d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    
       ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    
       alignbytes=4, prototype=define
    
     Linker and Libraries:
    
       ld='cc', ldflags =' -L/usr/local/lib'
    
       libpth=/usr/local/lib /lib /usr/lib
    
       libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    
       perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    
       libc=/lib/libc-2.5.so, so=so, useshrplib=true, libperl=libperl.so
    
       gnulibc_version='2.5'
    
     Dynamic Linking:
    
       dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/local/lib/perl5/5.8.8/i686-linux/CORE'
    
       cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'
    
     
    
     
    
    Characteristics of this binary (from libperl):
    
     Compile-time options: MYMALLOC PERL_MALLOC_WRAP USE_LARGE_FILES
    
                           USE_PERLIO
    
     Built under linux
    
     Compiled at Jun  3 2009 02:53:21
    
     @INC:
    
       /usr/local/lib/perl5/5.8.8/i686-linux
    
       /usr/local/lib/perl5/5.8.8
    
       /usr/local/lib/perl5/site_perl/5.8.8/i686-linux
    
       /usr/local/lib/perl5/site_perl/5.8.8
    
       /usr/local/lib/perl5/site_perl
    
       .
    
     
    
     querystring: license=YouZamfooLicenseDetail
    
     compare:
    
     capture: read_license,pathtranslated,php_exec_curl,parse xml,parseurl,
    
     capture2: PATH=/usr/local/jdk/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/courier-imap/sbin:/usr/lib/courier-imap/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin:/opt/bin
    
    DOCUMENT_ROOT=/usr/local/cpanel/base
    
    SERVER_SOFTWARE=cpaneld
    
    CPANEL=active
    
    SERVER_PORT=2086
    
    SERVER_PROTOCOL=HTTP/1.1
    
    GATEWAY_INTERFACE=CGI/1.1
    
    DNS=yourdomain.com
    
    REMOTE_HOST=212.116.219.101
    
    REMOTE_ADDR=212.116.219.101
    
    REMOTE_PORT=38184
    
    SERVER_ADDR=YourServerMainIP
    
    REQUEST_METHOD=GET
    
    CONTENT_LENGTH=
    
    QUERY_STRING=
    
    ACCEPT_ENCODING=gzip,deflate
    
    TRANSFER_ENCODING=
    
    REQUEST_URI=/cgi/zamfoo/zamfoo_b9_toolset.cgi
    
    SCRIPT_URI=/cgi/zamfoo/zamfoo_b9_toolset.cgi
    
    HTTP_X_FORWARDED_FOR=xxxxxxxx
    
    HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
    
    HTTP_REFERER=http://xxxxxxxxxxxxx:2086/cgi/zamfoo/zamfoo_landing_root.cgi
    
    CONTENT_TYPE=
    
    HTTP_COOKIE=logintheme=cpanel; whostmgrrelogin=no; whostmgrsession=closed
    
    HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
    
    HTTP_ACCEPT_ENCODING=gzip,deflate
    
    HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
    
    HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    
    HTTP_HOST=ServerMainIP
    
    SERVER_NAME=ServerMainIP
    
    SUBID=
    
    UPLINK=
    
    REMOTE_USER=root
    
    REMOTE_PASSWORD=xxxxxxxxxxx
    
    SCRIPT_NAME=/cgi/zamfoo/zamfoo_b9_toolset.cgi
    
    SCRIPT_FILENAME=/usr/local/cpanel/whostmgr/docroot/cgi/zamfoo/zamfoo_b9_toolset.cgi
    
    REDIRECT_STATUS=1
    I have change and bold the my server detail.

    How can you test in your server?

    I don't know its work for you or not but try it.
    Create a cPanel account with domain zamfoo.com
    then create a email Id in this account via cPanel support@zamfoo.com

    now run upgrade via Zamfoo >> B9 Tool Set - BETA >> check Update ZamFoo
    and click do it

    After that check email of support@zamfoo.com
    You will see the email above.

    Method 2:
    Block all out going email then check Mail Queue Manager under root WHM after upgrade Zamfoo you will see this email.

    ----

    This certainly does seem worrying for a piece of hosting software, it has been confirmed by the producer of the script later on in the thread and they're working on a patch . . . they said it was put in by accident.

    I don't use the software personally, never will touch anything to do with master reseller. I thought I'd post a thread here since there isn't one currently.
    ClanDrive Hosting | The No Fuss Webhost
    Shared & Reseller * Seattle - West Coast * LiteSpeed * cPanel * Fantastico * R1Soft * &More *
    Dedicated * Seattle - West Coast * 1-Minute Monitoring *
    VPS * NY - East Coast * OpenVZ *

  2. #2
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    Wow. And I thought only rootkits did that. As a side note, they don't even have a website up now, heh.

  3. #3
    Join Date
    Feb 2008
    Location
    United Kingdom
    Posts
    458
    Their website tries to download something to my hard drive.

  4. #4
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    hi,

    the website was down while php was being recompiled. the site is backup. i will answer any and all questions pertaining to this. and regularly update both DP and here pertaining to this. i was just notified of this thread. the thread on DP contains at this point a better and full explanation as to how this occurred and what is being done about it.

    thanks,
    kevin
    <<Please see rules for signature setup.>>

  5. #5
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    hi,

    there is now a patch available through the update function. an email to all clients has been queue for seding. please run the update function. verifty that the version has changed to version 3.4

    after sucessfull update then immediately change your password. we encourage you to retest and ensure that this gap is fully closed.

    thanks,
    kevin
    <<Please see rules for signature setup.>>

  6. #6
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    to all WHT people: please also read the DP posts as it may contain information not posted here.


    hi,

    i feel and hope that this matter is now closed. i am providing for public record the email that has been sent to every client regarding this matter

    email
    ------

    hi,

    we regret to inform everyone that a mistake was made when releasing version 3.3

    we did not remove a piece of debugging code from our script. the debugging code, unbeknownst to us was mailing us root credentials in plain text. this has been pointed out on some forums this morning.

    we are terribly sorry that this has occurred. earlier today we release an initial patch. we now have a full patch available which can be run through the easy updater.

    we understand the full severity of this mishap and hope that you continue to trust our software, support and intention of not causing harm to your business, your systems or anyone elses systems through your servers.

    full explanations, ways to replicate the problem and see it first hand, an explanation on how and why this piece of code was in the software can be found on the forums.digitalpoint.com and webhostingtalk.com websites as well as the method to verify in the future that this doesn't occur.


    please do the following IMMEDIATELY:
    --------------------------------------------

    run the update script from b9 toolset
    then verify that you are running version 3.4 from the footer of the root reseller screen
    then change your root password


    we will not confirm on an individual server, client or license basis that the problem has been corrected but will ask the clients and people who have reported the problem to publicly that the problem has been corrected.


    we value your business greatly and cherrish our good standing reputation. we can only hope that this blemish doesn't permanantly impact the view of how good or how secure the software is.


    sincerest apollogies,
    kevin
    <<Please see rules for signature setup.>>

  7. #7
    Join Date
    May 2009
    Posts
    149
    Hi
    Both whmreseller and zamfoo were caught for sending our root password because both are running inside the server as executable files.

    Another one is WHMPHP which is I believe, the safest one in the market regarding the server security. Since it is of PHP and communicating directly with the cPanel ( direct quote from the author ) it can not send out root passwords from the server.

    CGI programs can collect environment variables and thus send our root passwords. Such a backdoor is zamfoo. Thumbs down

  8. #8
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    hi,

    as i stated. it was an accidental oversite in version 3.3 release. a patch was issued within 1 hour.

    php and mysql are much more vulnerable to cross site scripting and remote file injection. these are big issues. if you use whmphp for multiple servers then you are vulnerable to not just one machine...but all of them.

    im not putting down whmphp but there are draw backs to their software as well. additionally php can similiarly grab environment variables.

    kevin
    Last edited by hostydotnet; 06-30-2009 at 09:55 AM.
    <<Please see rules for signature setup.>>

  9. #9
    Join Date
    May 2009
    Posts
    149
    Quote Originally Posted by hostydotnet View Post
    hi,

    as i stated. it was an accidental oversite in version 3.3 release. a patch was issued within 1 hour.

    php and mysql are much more vulnerable to cross site scripting and remote file injection. these are big issues. if you use whmphp for multiple servers then you are vulnerable to not just one machine...but all of them.

    im not putting down whmphp but there are draw backs to their software as well. additionally php can similiarly grab environment variables.

    kevin

    Hm.. I believe you are not aware of php.
    PHP can not collect dangerous information such as server root password, like what you did with your script.

    file and sql injection , a good php developer can overcome it and I haven't heard any single bad comment about whmphp. My friend is using it on his server and we both have nothing to say other than its just great.

    I have checked your script as well, well, it really ***ks! IMO. Plus today I heard the news as well, that it collects server root password same as whmreseller as proved by coolstfuff on DP

  10. #10
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    hi,

    it does not collect root passwords. you can verify this. additionally php has the availability to contain cgi code and use cgi libraries so the claim that this is not possible is entirely.....unintelligent.

    kevin
    Last edited by hostydotnet; 06-30-2009 at 10:17 AM.
    <<Please see rules for signature setup.>>

  11. #11
    Join Date
    May 2009
    Posts
    149
    Quote Originally Posted by hostydotnet View Post
    hi,

    it does not collect root passwords. you can verify this. additionally php has the availability to contain cgi code and use cgi libraries so the claim that this is not possible is entirely.....unintelligent.

    kevin
    Can you elaborate these sentence ?
    It does not collect ? which one ? zamfoo ? well , it was already proved that zamfoo collects root pass and send it to support@zamfoo.com for you

  12. #12
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    hi,

    zamfoo does not collect root passwords, v3.3 was the only piece that had the debugging code in it. it was removed within the hour. you can verify it does not do what you are claiming to be the case. download the latest version, install it and do what they are telling you to do. you will see no passwords are sent.

    kevin
    <<Please see rules for signature setup.>>

  13. #13
    Join Date
    May 2009
    Posts
    149
    Quote Originally Posted by hostydotnet View Post
    hi,

    zamfoo does not collect root passwords, v3.3 was the only piece that had the debugging code in it. it was removed within the hour. you can verify it does not do what you are claiming to be the case. download the latest version, install it and do what they are telling you to do. you will see no passwords are sent.

    kevin
    Since the codes are encrypted, there is no way to verify it.

    Well, you seems like a little kid who is playing with me by arguing

  14. #14
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    Quote Originally Posted by 10gbUS View Post
    Since the codes are encrypted, there is no way to verify it.

    Well, you seems like a little kid who is playing with me by arguing
    im not arguing with you. you clearly do not know what you are talking about. im attempting to clarify your misconception.

    yes it can be verified. without giving my source code away.
    there are posts on how to verify the software is not sending root passwords.

    did you read this full thread which i clearly point to and say how to verify that the debugging code has been removed or just post blindly to it about whmphp as a plug for the whmphp script?
    <<Please see rules for signature setup.>>

  15. #15
    Join Date
    Sep 2007
    Posts
    815
    I think he is not plugging whmphp. he was stating the fact that your script is collecting passwords. by stating that, its unavoidable to compare you to other master script providers. dont get too defensive just because someone pointed out a fact. you may have already patched it but you cant deny that you have already collected root password before you were able to patch it. That means all your clients had to change root password just to ensure that zamfoo will not be a like rootkits
    All things work together for the good of those who love God - Romans 8:28

Page 1 of 3 123 LastLast

Similar Threads

  1. some of the mail my server sends get bounced..
    By henningl in forum Hosting Security and Technology
    Replies: 5
    Last Post: 09-26-2005, 04:57 AM
  2. Mail sends from webmail but not outlook
    By junglecat in forum Hosting Security and Technology
    Replies: 6
    Last Post: 09-08-2005, 11:02 AM
  3. Installed Version > Latest Version?
    By Alex042 in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 09-19-2003, 09:07 AM
  4. E-mail then sends text?
    By ViS in forum Web Hosting Lounge
    Replies: 1
    Last Post: 05-13-2003, 01:25 AM
  5. Someone sends Virus to my E-mail
    By sHosts in forum Running a Web Hosting Business
    Replies: 6
    Last Post: 07-17-2002, 08:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •